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1.0 (U) Analysis Summary 


(S//NF) This report provides a high-level overview of the history of ransomware. There is little 
technical content in this report other than to note that the APIs used depend on the platform 
targeted (Windows, OSX, Linux, or mobile). No other details on how the ransomware malware 
is installed and implemented. The report provides a high-level discussion on the encryption 
algorithms used in the various types of ransomware and the payment systems used by the bad 
actors to monetize their attacks. 


(S//NF) The report makes the distinction between two families of ransomware: 
=" Locker ransomware where the malware denies access to the computer 
= Crypto ransomware where selected files and directories are encrypted 


(S//NF) Locker ransomware is generally designed to deny access to the computer interface, 
largely leaving the underlying files and system untouched. 


(S//NF) Crypto ransomware is designed to locate and encrypt important and valuable data and 
file on the system. 


(S//NF) The report provides an overview of how ransomware has evolved over the years, noting 
that the first ransomware malware dates back to around 1989 with the AIDS malware, which was 
distributed via 5-1/4 floppy disks. The modern era of ransomware dates to 2005 with 
Trojan.GPCoder, which was a crypto variant of ransomware. Some of the early ransomware 
samples in the modern era tended to be delivered via misleading applications such as 
performance optimization utilities. The delivery mechanism shifted in 2008/2009 to fake anti- 
virus utilities. In about 2011/2012 ransomware transitioned from crypto ransomware to locker 
ransomware such a Trojan.Randsom.C, which spoofed a Windows Security Center message. In 
2013 the ransomware market shifted back to cypto ransomware where most ransomware variants 
today reflect this type of malware. 


(S//NF) The report briefly discusses ransomware distribution strategies, focusing on the recent 
trend toward pay-per-install frameworks, which allows the malware authors to concentrate on the 
malware itself and leave the platform exploitation and penetration steps to others. 


(S//NF) While this report is very interesting and provides a comprehensive high-level overview 
of ransomware and its evolution over the years, there is insufficient technical detail on how the 
ransomware 1s installed, hidden/obfuscated, or executed. Therefore, no PoCs are recommended 
from this report. 


2.0 (U) Description of the Technique 
(S//NF) Not applicable as no PoCs are recommended. 


3.0 (U) Identification of Affected Applications 


(U) Windows, OSX, and mobile systems. 
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4.0 (U) Related Techniques 

(S//NF) Generalized malware, ransomware in particular. 

5.0 (U) Configurable Parameters 

(S//NF) Varied, depending on the target platform. 

6.0 (U) Exploitation Method and Vectors 


(S//NF) No specific exploitation methods were discussed. Social engineering and spam mail 
campaigns were mentioned. 


7.0 (U) Caveats 

(U) None. 

8.0 (U) Risks 

(S//NF) Not applicable as no PoCs are recommended. 


9.0 (U) Recommendations 


(S//NF) No PoCs are recommended from this report. 
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